CVE-2025-48936 is a high-severity open redirect vulnerability (CWE-601) affecting Zitadel, an open-source identity infrastructure software. The vulnerability exists in the password reset mechanism of Zitadel versions prior to 2.70.12, between 2.71.0 and 2.71.10, and between 3.0.0-rc1 and 3.2.2. Zitadel constructs the password reset confirmation URL by utilizing the Forwarded or X-Forwarded-Host HTTP headers from incoming requests. An attacker capable of manipulating these headers (for example, via host header injection) can cause Zitadel to generate a password reset link that points to a malicious domain controlled by the attacker. This link contains a secret reset code emailed to the user. If the user clicks the malicious link, the attacker can capture the secret code embedded in the URL and use it to reset the user's password, thereby gaining unauthorized access to the user’s account. The attack requires user interaction (clicking the link) and no authentication is needed to exploit the vulnerability. However, accounts protected by Multi-Factor Authentication (MFA) or Passwordless authentication are not vulnerable to this attack vector, as these mechanisms prevent unauthorized password resets even if the secret code is compromised. The vulnerability has been patched in Zitadel versions 2.70.12, 2.71.10, and 3.2.2. The CVSS v3.1 score is 8.1 (high), reflecting the network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity but no impact on availability. No known exploits are reported in the wild at this time.

For European organizations using Zitadel for identity and access management, this vulnerability poses a significant risk of account takeover through password reset abuse. Successful exploitation could lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, identity theft, and disruption of business operations. The compromise of user accounts could also facilitate lateral movement within networks, privilege escalation, and unauthorized access to critical resources. Organizations relying on Zitadel without enforcing MFA or passwordless authentication are particularly vulnerable. Given Zitadel's role in managing authentication and identity, exploitation could undermine trust in the organization's security posture and lead to regulatory compliance issues under GDPR if personal data is exposed. The requirement for user interaction (clicking a malicious link) means phishing campaigns could be used to exploit this vulnerability, increasing the risk in environments where users are not well trained against social engineering attacks.

European organizations should immediately verify their Zitadel deployment versions and upgrade to patched versions 2.70.12, 2.71.10, or 3.2.2 as applicable. If immediate patching is not feasible, organizations should implement strict validation and sanitization of the Forwarded and X-Forwarded-Host headers at the web server or reverse proxy level to prevent host header injection attacks. Additionally, enforcing Multi-Factor Authentication (MFA) or passwordless authentication for all user accounts will mitigate the risk of unauthorized password resets even if the secret code is compromised. Organizations should also educate users to be cautious of password reset emails and suspicious links, and implement email security controls such as DMARC, DKIM, and SPF to reduce phishing risks. Monitoring logs for unusual password reset requests and anomalous header values can help detect exploitation attempts. Finally, security teams should review and harden the overall password reset workflow to ensure URLs are constructed only from trusted sources and not influenced by user-controllable headers.